Over the weekend a good friend and aviator sent through a
link related to the proposed networking structure of the new
Boeing 787 Dreamliner. The FAA document entitled “Special
Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks
Security--Isolation or Protection From Unauthorized Passenger
Domain Systems Access” addresses responses to a notification made
back in April 2007, and encapsulates discussions between the FAA,
the Air Line Pilots Association (ALPA) and Airbus.

One of the key statements in the document relates to how the 787
“allows new kinds of passenger connectivity to previously isolated
data networks connected to systems that perform functions required
for the safe operation of the airplane. Because of this new
passenger connectivity, the proposed data network design and
integration may result in security vulnerabilities from intentional
or unintentional corruption of data and systems critical to the
safety and maintenance of the airplane.“

The FAA ends up addressing this concern with the following
special condition:
“The design shall prevent all inadvertent or malicious changes to,
and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain.”

What's to worry about?

While there isn’t really that much information to be had about
how this is supposed to be done, or what Boeing really have in the
works, most of the public information really just relates to the
sharing of the communication channels and that devices will be used
to prevent passenger networks from controlling other in-plane
networked systems. Still, based upon that information, I’d have
concerns.

I’m sure most of us have heard about the weird and whacky
projects an engineer has to do to get his professional degree.
I once remember watching project finalists build a bridge that could
support their own weight in order to cross a small stream using only
rolled-up newspapers and sticky-tape. It’s an image that came
to mind when I read about the 787’s “Novel or Unusual Design
Features”.

Yes, you can build a small bridge using only rolled-up newspapers
and sticky-tape. If you build it big enough, you can probably
even make it in to the Guinness book of records. However,
people don’t use these materials to build bridges that have to stand
up to real life requirements – too much can go wrong.

Yet a newspaper bridge was what came to mind while I was reading
up on this shared network proposal. Too many things could go
wrong. The aviation engineers I know are experts on
resiliency, redundancy and fail-safe design. But there lies
one of the problems – fail-safe is not the same as fail-securely. To
add to that, it’s all very well considering what happens when some
component fails and include contingencies, but it’s an entirely
different different kettle of fish if you have to counter someone
with malicious intent and
actively hacking or exploiting weaknesses.

Hope for the best, plan for the worst

Let’s assume that some of the world’s best network engineers
design the hardware, and the world’s best software engineers write
the applications and operating systems. That’s still no
guarantee that there aren’t flaws in the systems – just look at the
software you use today.

In that case, let’s assume that after it’s all been designed and
built, it gets penetration tested. In fact, let’s say that I
was allowed to conduct a month long penetration of these systems and
that I had a dozen of the world’s top named reverse engineers and
pentesters working with me on it. Even after any discovered
bugs were fixed (and verified as fixed) I’d probably still be
concerned about the security (and integrity) of those systems – and
the report would probably be filled with so many CYA caveats (e.g.
invalid if there are ever any patches or updates applied to the
system, etc.) that
I’d be embarrassed charging money for it.

Safety and security aren't complementary bed-fellows.

I’d like to see the FAA put a little more meat behind “special
condition” requirements – and be precise about what networking
security controls need to be in place. I think the term “air
gap” should feature in their wording.

The last place I’d like to be is on a 14 hour 787 flight from
London to Singapore with a bored 16 year-old who, after only a
couple of hours into the flight, decides to try and see if she
can listen to what the pilots are saying after ARP flooding a VLAN
switch that was supposed to segregate the different networks.
That said, perhaps triggering an in-flight fireworks party would be
exciting after she manages to hack in to any new
anti
shoulder-launched-missile defense systems?

Note to self: I guess I should have posted this
Sunday morning because this afternoon I saw that it had made it to
The Register and then on to Bruce Schneier’s
blog.